Developers of apps for Apple’s iPhone and iPad can no longer harvest contacts, photos, and other user data stored on a device with their app installed and create databases of contact information for their own use, according to a recent update by Apple to its App Store Review Guidelines.
This new explicit guidance, published on June 4, doesn’t put a technical bar in place. Rather, it informs developers that they can’t collect information from their users about friends, family, colleagues, and connections except for a purpose designed for that user within that app. The guidelines also prohibit selling or distributing such data to third parties.
The iOS contacts list can contain an array of information about someone, depending on how fully a user has fleshed out details. Birthdate, a photo, the person’s spouse and children, multiple addresses, and other information can all be stored—and retrieved by developers.
The revised guidelines also state that apps can’t contact other people using information retrieved from a user’s contacts or photos without requiring explicit individual permission from the user for each message. It specifically prohibits a “Select All option or default…selection of all contacts.” And the messages must make clear the form in which they’re sent, such as who the sender will be appear to be.
While these updates came during Apple’s annual Worldwide Developer Conference, a gathering of thousands of programmers who develop software for its platforms, the company didn’t announce it or otherwise highlight it. Bloomberg first noticed the change.
It might surprise iOS users that no prohibition existed against companies collecting information and retaining it, although Apple has required disclosures about what data was collected and how it was used, and the Federal Trade Commission offers the same advice.
Apple enforces rules like this prospectively. So far, there are no reports of developers asked to purge databases. But any app update submitted will have to conform to the new rules, although Apple has granted temporary exceptions in the past for some of its guideline updates, particularly for established and trusted apps and companies.
The company’s app review process involves a combination of automated and human review of code and behavior, and any app that asks for permission for user data, like contacts, will obviously receive additional scrutiny if it sends the data to a server. Some apps rely on a user’s contacts to avoid marking email, text messages, or phone calls as spam, such as call-blocking apps that can mark incoming calls as from a marketer or as fraud.